4
Protected Health Information  45 C.F.R. § 160.103  “Protected health information” (PHI): all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral 4

5
Limited Data Set  45 C.F.R. § 164.512(e)  “Limited data set:” removal of specified direct identifiers of the individual or of relatives, employers, or household members of the individual  CE may use or disclose only for research, public health, or health care operations, and only with a data use agreement with the data recipient. 5

6
De-identified Information  45 C.F.R. § 164.502(d)(2)  45 C.F.R. § 164.514(a) and (b)  “De-identified information:” neither identifies nor provides a reasonable basis to identify an individual.  (1) a formal determination by a qualified statistician; or  (2) the removal of specified identifiers of the individual and of the individual’s relatives, household members, and employers is required, and is adequate only if the covered entity has no actual knowledge that the remaining information could be used to identify the individual. 6

8
Permitted Disclosure: Public Health  45 C.F.R. § 164.512(b)  To public health authorities who are legally authorized to receive such reports for the purpose of preventing or controlling disease, injury, or disability  “Public health authority:” an agency or authority of the United States government, a State, a territory, a political subdivision of a State or territory, or Indian tribe that is responsible for public health matters as part of its official mandate, as well as a person or entity acting under a grant of authority from, or under a contract with, a public health agency 8

10
Authorized Disclosures  45 C.F.R. § 164.508  A covered entity must obtain the individual’s written authorization for any use or disclosure of protected health information that is not specifically permitted or required by the HIPAA Privacy Rule.  Authorizations must:  Be in plain language  Contain specific information including: the information to be disclosed or used the person(s) disclosing and receiving the information expiration right to revoke in writing 10